Certified Ethical Hacker - Part 9 - Denial of Service

by Riazul H. Rozen
Jan. 30, 2018 0 comments 4 minute read Certifications CEH
Download PDF

Denial of Service Attack

When an attacker attempts to overload a target system with fake service requests or traffic, the outcome of a successful attack is called a Denial of Service Attack. This attack makes it difficult for users to access legitimate network or computer resources, as the attack blocks access to legitimate websites or slows down the performance of networks.

Denial of Service Attack

DoS attacks focus on one attacker and target system, but DDoS also known as Distributed Denial of Service Attack uses numerous zombie systems to tackle a target system. This not only increases the probability of the system is breached, it also ensures that the attack happens faster. The DDoS attack is carried out with botnets, and the attacker uses handlers to compromise a large number of systems, which in turn attacks the target system.

Classifying DoS and DDoS Attack Vectors

Volumetric attacks

They are also known as bandwidth attacks focus on overwhelming the bandwidth of the target network. This is a DDoS attack and it works with botnets and the use of ICMP ECHO packets, flooding the system and affecting switches and routers who have no defense over the huge statistical change. It uses all the bandwidth allocated to the target system, thereby preventing legitimate users from using any bandwidth.

Volumetric attacks

Fragmentation attacks

They prevent the users of the target system from being able to put back together fragmented packets.

Fragmentation attacks

Application layer attacks

This prevents users of the target system from gaining access to application resources. The application layer attacks focus on restricting access to the target network, for instance, emails, network resources, servers, applications and others, by taking note of the vulnerabilities in the source code and using them to their advantage. The attackers can carry out a range of activities with this method. For instance, preventing a user from logging into a particular system by bringing up invalid login attempts.

Insert caption here

TCP state-exhaustion attacks

They affect the connection state tables in the target systems. Areas such as application servers and firewalls are targeted.

This is done through service request floods that target server resources by flooding the servers with high connection rates through valid sources, rendering the server unusable and tearing down the TCP connection.

SYN flooding also works to break down the TCP connection in the target system. Here, the attacker exploits the 75 second listen to the window that opens up while two hosts communicate through SYN requests, by sending SYN requests to the target host without replying until the listen queue is filled up. SYN flooding is a way to carry out DoS attacks.

DoS/DDoS Attack Tools

Pandora DDoS Bot Toolkit

This allows the attacker have access to five modes of attack to the target system. • HTTP main • HTTP download • HTTP combo • Socket connect • Max Flood

Pandora DDoS Bot Toolkit


This attacks TCP, UCP, and HTTP protocols, and is used by professionals to take down a target system.


The attack tool is used to target IP addresses, using selected user ports and protocol.



This is an HTTP flood Denial of a service attack testing tool for windows. It carries out attacks using multiple asynchronous sockets. It has numerous uses for URL verification, enhanced reporting, performance monitoring and port designation.


Low Orbit Ion Canon

This is an android version of the software and is used to flood packets which are then used to perform DoS attacks

Low Orbit Ion Canon


This software is automated and run a couple of tasks on the internet, for instance, web spidering and web search indexing. This simple software can be implemented by attackers to perform DoS attacks. The attacker usually infects one victim machine (a bot), which in turn searches for other vulnerable machines to create a botnet.


The infected bot can search through the internet for vulnerable machines through -

  • Random scanning. The IP addresses within the range of the target system are searched for vulnerabilities.
  • Topological scanning. The information gained from other infected machine is used to source out new infected machines.
  • Hit-list scanning. Machines that have potential in being vulnerable are collected through the listing and scanned to confirm which machines are vulnerable.
  • Permutation scanning. This method uses permutation from a list of semi-randomly selected machines to locate the vulnerable ones.
  • Local subnet scanning. The infected machine searches for vulnerabilities of machines in its own network.

Botnet Trojans

These are tools used to infect systems. Blackshades NET. This is used to develop implant binaries. Andromeda Bot. Cynthia Botnet. Plug both. This is a hardware bot and is used majorly during penetration testing.

Countering DoS/DDoS Attacks

A DoS attack affects several aspects of the targeted organization, from loss of trust from the clients end to financial loss and an unorganized company. It is therefore important to note the ways to counter such attacks.

Activity profiling

Activity profiling is carried out by monitoring the network packet information header, and results are gotten through the average packet rate for network flow. When there is a drastic shift in the activity levels in network flow clusters or a change in the number of distinct clusters, bordering towards an insane increase, it means an attack is occurring.

Changepoint detection

This uses algorithms to determine changes in network traffic statistics to locate attacks by filtering the traffic data, storing results as a time series and picking out anomalies from this stored data. Wavelet-based signal analysis

This is another method for discovering attacks. This method uses spectral components and accounts for time and frequency description. This analysis method accounts for the time at which certain frequencies are in the network and also uses the spectral window's energy to find breaches.

When an attack has been discovered, the countermeasures to take are: Analysing traffic and communication ports between handlers to determine the infected machine. Neutralizing bot handlers could serve to disable the botnet system. Installing anti-virus and anti-Trojan software. Keeping protective software up-to-date. Orienting users on these attacks and how to prevent it. Frequently scanning through the system. Disabling services and uninstalling used apps. Finding more about the attacker using a honeypot. The honeypot is a system with lowered defenses, set-up with the aim of drawing the attacker and gaining information about the said attacker. Increase bandwidth on critical connections to allow for the absorption of additional bandwidth generated during the attacks. Duplicate servers to provide a safe zone for the network. * Prevent damage to servers through throttling.

DDoS/DoS Protection Tool.

FortGuard Anti-DDoS Firewall 2014

This works on mitigating attacks by allowing legitimate traffic pass through, as opposed to discarding the attack traffic. It protects the system from arp snooping, TCP, SYN flooding, and other DDoS attacks. It also filters UCP/ICMP/IGMP packets for attacks .

Other tools include -

  • NetFlow Analyser
  • DefencePro
  • DPS arrest
  • WANGuard Sensor
  • DDosDefend.

Published with the express permission of the author.